How to: Disable User Accounts, Clear Memberships and Move to a Different Container

Applies To:

GroupID 8, 9, 10 - Synchronize

Business Scenario:

We have a list of employees who are not with the company anymore and we would like to treat them as follows:

• Disable the accounts
• Move disabled accounts to a different container
• Clear their group memberships except for a specific group

  

Step:

1. In GroupID Management Console, expand the Synchronize node, right-click All Jobs and select New Job.
2. On the Select Source page of the New Job wizard, select the source file containing the employee IDs of disabled users and click Next.
3. On the Select Destination page, specify the destination, which is Active Directory in our case. Provide credentials to connect to the directory and click Next.
4. On the Sync Object Options page, select the User check box for object type and the Skip operation since we are only updating the existing users and not creating new ones.
5. On the Select Fields page, add the EmployeeID and Disable Account fields to the Selected Fields box.
6. The next and the most important page is the Field Map(s) page. You have to map the destination EmployeeID field to the corresponding field in the source file. Moreover, for Disable Account you have to use Static transform with value set to “TRUE”.

   

7. Now click Edit Global Script.
8. In Global Script Editor, click Tools > Add/Remove Reference on the menu.
9. On the Add Reference dialog box, click Browse to browse to the following location (for GroupID 8), where you have to select the file, Imanami.Synchronize.ActiveDirectoryTool.dll.
    

   [GroupID installation drive]:\Program Files\Imanami\GroupID 8.0\Synchronize\PowerTools

   

10. Now back in Global Script Editor, navigate to the DTM Row Finished section and add the following lines. Once done, it will appear somewhat like the image shown below.
     

    ActiveDirectoryTool.ConfigureFromDestination() ActiveDirectoryTool.ClearMemberships() ActiveDirectoryTool.AddToGroup("DN of the specific group to which you would like to retain the membership of ") ActiveDirectoryTool.MoveObject ("LDAP://DN of the destination container to which you would like to move disabled users")>

    

    The code in the image will clear the group memberships of the disabled users, while retaining the membership of Group C and moving the disabled users to a container named Disabled Users.
     
11. Now once again in Global Script Editor, click Build > Compile Script on the menu. Then save and close the editor.
12. Complete the wizard to create the Synchronize job.

Now when you run this job, Synchronize will disable the user accounts for the Employee IDs mentioned in the source file, clear their group memberships except Group C, and move these disabled accounts to an existing container named Disabled Users.